Dave Bittner: [00:00:00] Hey, everybody. Just a quick reminder to check out our Patreon supporter options over at patreon.com/thecyberwire. For $10 a month, you can get yourself an ad-free version of our podcast. It's the same podcast you know and love. It just doesn't have the ads. That's patreon.com/thecyberwire. Thanks.
Dave Bittner: [00:00:22] Facebook continues to investigate its breach. Irish authorities opened a GDPR investigation of Facebook. Bogus offers of Zoho Office Suite are malicious. A big botnet hits Brazil's banking customers. Home routers are found vulnerable. Google and Adobe patch. A DGSI officer is arrested in France for dark web trafficking. FEMA tests its emergency text system. And Fortnite cheats are bad news.
Dave Bittner: [00:00:56] Time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want, actionable intelligence. So sign up for the Cyber Daily email, where every day you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:02:08] Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:12] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 3, 2018. Facebook says that, so far, it's seen no evidence of illicit sign-ons to third-party apps. There have been concerns that the social media platform's Facebook Login feature would expose applications to fraud or hijacking. Irish authorities, the one-stop shop for Facebook with respect to GDPR enforcement, are proceeding with their investigation of the breach. Speculation in Europe and elsewhere is trending toward thinking that the fine - and most seem to expect a fine - will be a stiff one despite Facebook's quick compliance with disclosure rules. A quick note on the EU's of one-stop shop principle with respect to its General Data Protection Regulation - in brief, it means that when there is cross-border processing of personal information covered by GDPR, organizations doing that processing, in this case Facebook - but it applies generally - will deal with one supervisory authority. That lead supervisory authority, in this case Ireland's government, doesn't completely preclude other data protection authorities from involving themselves. But the one-stop shop is at least the first shop you have to stop in. While Facebook is getting credit for quick disclosure, that quick disclosure is giving many second thoughts about whether the tight 72-hour GDPR standard is entirely wise. Investigation is still far from complete, and many observers think that coming out publicly so swiftly hasn't been good for the quality of incident response. Security company Cofense warns users of the free Zoho Office Suite that they're at risk of data exfiltration attacks. Criminals have opened multiple keylogging campaigns that exploit the product. The crooks are, for the most part, setting up bogus sites with equally bogus free offers of the product. So classify this one as social engineering. High-profile Instagram users, influencers, are being subject to an account hijacking campaign in which criminals are holding the victims' accounts for ransom. It seems, according to Naked Security, that the root problem is failure to enable two-factor authentication. Instagram recommends you do so whether you're a high-profile influencer or just a regular type. Security firm tCell provides cloud-based web application firewall services, and that provides them with some interesting insights into app security. They recently gathered up some of those findings and published a security report for web applications. Michael Feiertag is CEO at tCell.
Michael Feiertag: [00:04:56] Last year, we did an analysis of how often attacks were successful. And what we found is that if a attacker tried 100,000 different things against the average application, they might find one vulnerability. We found that that's actually stayed consistent over the year. But then we decided to dig a little bit deeper to figure out - what are the sources of those vulnerabilities that people are finding? What we found most striking was that when we looked at the various applications we were protecting - particularly when we were first installed, where it's kind of a, you know, clean data, sort of clean view of the world - we found that literally 90 percent of the active applications, or 90 percent of the apps that we saw exposed to the outside world, had - were running with third-party libraries that had known vulnerabilities.
Dave Bittner: [00:05:48] Right.
Michael Feiertag: [00:05:48] So it wasn't in the - you know, running an app with a vulnerability was not the exception. It was the absolute rule. And you know, spitballing, roughly a third of those were actually high-priority or critical CVEs. So we're not talking about, you know, minor little things. We're talking about, you know, very significant vulnerabilities introduced into the application from third-party content. And we found that really, really interesting.
Michael Feiertag: [00:06:15] We also saw that the applications over the course - even just over those narrow period of time that we were observing, which was roughly a month or so, they evolved very rapidly, you know? So people are really adopting DevOps and Agile and so forth. But there is a side effect of that, which is that the surface area of the application - so basically, how the apps could be attacked - it doesn't just change; they seem to keep expanding. And we think that's a source of great vulnerability out there that maybe hasn't been focused on enough.
Michael Feiertag: [00:06:48] So you know, we'll see, you know, an average application with literally 2,900 what we call orphaned routes, which is basically, you know, API endpoints or web pages or things that the application can do with actual code behind them that are not actually being used - right? - that we see no traffic against them. But we know that they can be exercised by the outside world, which means an attacker could hit that. And those tend to be the most vulnerable untested functions of the application. So you know, 2,900 different of functions the application exposed, generally untested and not being used.
Dave Bittner: [00:07:27] And what's the disconnect there? I mean, obviously people aren't introducing these vulnerabilities intentionally. So where's the oversight? What's the process by which they're included?
Michael Feiertag: [00:07:37] Every app is being built on third-party content. Right?
Dave Bittner: [00:07:41] Right.
Michael Feiertag: [00:07:41] There are third-party libraries, you know, and so forth. So this isn't intentional.
Dave Bittner: [00:07:44] Sure.
Michael Feiertag: [00:07:45] But what happens is, you know, there's a few things. And this is more anecdotal. You know, once you get something working - developers, you know, they're focusing on functionality. And so you kind of move on to the next thing. Vulnerabilities are discovered, very often, after the fact. And so if you have an app that's been running for a couple years, maybe when it was first shipped, it didn't have any known vulnerabilities because the third-party libraries were fresh and, you know, nothing had been discovered yet. But they were there.
Michael Feiertag: [00:08:14] Then over time, the world finds out about these. So you know, think of a stretch, too, as sort of the extreme example of that. You realize, you know, I'm running this application. It's built on a library that, you know, either a day ago or a year ago, we discovered some high-priority CVEs against that. People don't have visibility into that without additional tooling that's not very common. Tcell provides that. But you know, as I mentioned, when people first implement, they get kind of the first view of it, which is - oh, man - I've been running this for a year, and it turns out that this library I was using does have a huge hole in it. And I really wouldn't have known that otherwise. And so if I'm not actively patching everything, you know, on an almost daily basis, you run a lot of risk.
Michael Feiertag: [00:09:01] And then the other side - you know, the source of this is, again, people are trying to move faster. Right? The goal is ultimately to ship better software with more functionality. So they're iterating quickly. But then what that translates to is you see what ultimately becomes cruft in the background. Those are those are orphaned routes. And again, without visibility into that where you can actually measure it, it just falls to the wayside. Right? If you don't see it, you don't think about it. If you don't think about it, you don't address it.
Michael Feiertag: [00:09:29] And so - you know, to answer your question directly, I think that the real source of a lot of these problems is lack of visibility into risk of the running applications, whether it's understanding what attacks are happening and so you know how people are trying to compromise you or just understanding the underlying structure of your applications that they're changing from a security perspective and knowing what to do about them.
Dave Bittner: [00:09:57] That's Michael Feiertag from tCell. If you want to dig into their security report for web applications, you can find it on the tCell website.
Dave Bittner: [00:10:07] Security firms Radware and Qihoo 360 are independently tracking a very large botnet that's intercepting traffic destined for Brazilian banks. More than 100,000 routers have seen their DNS settings altered to redirect users to watering hole pages. Most of the routers affected - 88 percent of them, according ZDNet - are located in Brazil. As one might expect, the goal of the redirection is credential theft.
Dave Bittner: [00:10:36] Tenable, the Maryland-based security company warns that widely used TP-Link TL-WR841N consumer routers are susceptible to attacks that concatenate a series of flaws to obtain control over the devices. TP-Link has yet to fix the vulnerable firmware. Unfortunately, there seems to be no mitigation. If you own one of the routers, Tenable suggests you call the vendor to complain to light a fire under them and accelerate patching.
Dave Bittner: [00:11:06] Several companies have patched their widely used products. Adobe has fixed 85 issues - 47 of them critical - in Acrobat and Reader. Google has addressed six critical remote code execution vulnerabilities in the Android operating system. Mountain View has also put measures in place to introduce more privacy and security into app development.
Dave Bittner: [00:11:28] A dirty cop has been arrested in France. He worked for the DGSI. That's the General Directorate for Internal Security. They work on counterespionage, counterterrorism, counter-cybercrime and surveillance of potential threats. Its functions would be similar to those of the U.S. FBI, although DGSI is more an intelligence and security service than it is a law enforcement agency. The unnamed officer is accused of selling confidential information to mobsters on the Black Hand dark web market. He went by the hacker name Haurus, and he's thought to have sold material that aided and abetted forgery. He also is said to have hawked a service that would tell clients whether they were being tracked by the French police and what the police had on them.
Dave Bittner: [00:12:17] Did you get your text alert from FEMA today, U.S. listeners? We did. It came in a little after 2 p.m. Eastern Time. It wasn't at all distracting or disruptive, and it looked like a practice alert, a drill, and not the real thing. Emergency alert, it said, this is a test - in all caps - of the National Wireless Emergency Alert System. No action is needed. That's plain enough to us. If you're confused, then shame on you, and go back to your basement to hide from those Martian Tripods we hear just landed in South Jersey.
Dave Bittner: [00:12:49] Finally, there are Fortnite cheats circulating and instructional videos posted to YouTube. Players who attempt to use them are likely to be infected with malware for their troubles. There's similar stuff on offer through Instagram posts. Don't cheat. Besides, the cheats wouldn't improve your dance anyway.
Dave Bittner: [00:13:13] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box Insider Threat Library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we think ObserveIT for sponsoring our show.
Dave Bittner: [00:14:23] And I'm pleased to be joined once again by David DuFour. He is the vice president of engineering & cybersecurity at Webroot. David, welcome back. You know, the video game market is huge. It is a giant market. And of course, with that comes security issues. What do we need to know about that?
David DuFour: [00:14:41] Yeah. You know, when we talk about video game safety, there is a small niche market that not a lot of people talk about - when you get mad at your computer and you jump around and you throw it around, it might fall on your foot. But that's not what we're talking about today, Dave. We're talking about, you know, like cybersecurity, things like that. One of the big things that we've seen in a shift in the industry is that video games basically have become social networks. And I don't think a lot of people realize that. To call one out that I'm guilty of playing multiple hours a day is Fortnite. And when I...
Dave Bittner: [00:15:18] Yes, my 12-year-old plays a lot of Fortnite. I don't know - I'm not making any connections there, but go on.
David DuFour: [00:15:24] (Laughter) Yes, that's been pointed out to me quite often. Thank you. But the - with Fortnite, when I'm playing, I actually can be dropped in with two, three, four other people I don't know. And I'm able to talk to them, not just chat but actually talk with them. And now - you know, you think on the surface, well, that sounds good. And it's pretty nice. It's good community.
David DuFour: [00:15:47] But there's things that we need to consider. One, to your point, if we have our children playing these games, we need to make sure they're aware of strangers and be conscious of the people they're talking to - these are real people - and just be aware of that, you know, community. And then there are things they need to pay attention to. That's one component.
David DuFour: [00:16:06] The other would be, there's a lot of in-game purchases now, both on mobile apps, on large games like Fortnite - even other games that are, you know, solo games. And so a lot of these games have our credit card information, have our addresses, have personal information about us. And so we need to also be aware that if these games get hacked, that it's possible someone could get our information and use it in ways we don't want or charge something up and and change our account. And next thing you know, we've got a thousand-dollar charge we didn't expect. So we've got to be conscious of that as well, as you know, there's a lot more selling going on in these environments.
Dave Bittner: [00:16:51] Yeah. I think it's easy to think, particularly when you think about these gaming platforms, that they're kind of walled gardens. But when it is a functional social network, well, you got to be worried about things like social engineering.
David DuFour: [00:17:06] That's exactly right. And again, it's just about being conscious of it, you know? It's great. Social networks aren't inherently bad. It's just - be aware that you're talking to strangers.
David DuFour: [00:17:17] And one last thing we see quite a bit - and here, you know, at Webroot, we make antivirus software. We see a lot of gamers turn off their antivirus while they're playing games and potentially forget to turn it back on. And so if you do that, you know, you're opening yourself up the risk. I highly recommend you find something that works while you're playing a game and doesn't affect it because you do want that optimal performance. But you also need to be aware of - making things run better, sometimes you turn things off, and you're taking that risk. Or maybe you're opening up ports on a firewall because you want to play a game with your friends, and you're doing a peer-to-peer network. You just got to keep in mind the stuff you're doing and not expose yourself to security risks you wouldn't normally do.
Dave Bittner: [00:18:03] No, that's a great point. I remember when my oldest son was a teenager. I sat down at our family computer one day and noticed that some ports had been opened up. And I would say - wait. What's going on here? My son said, oh, I just needed to play a game. I went - whoa - hold on here, cowboy. No.
David DuFour: [00:18:22] That's exactly right. And honestly, the gaming industry has spent a ton of time, energy and money - and I got to tip my hat to them - in securing these networks and making it so you don't have to do that. But you know, there's still flaws. But more than most industries, they really do look at security and take it seriously.
Dave Bittner: [00:18:41] No, it's interesting. David DuFour, thanks for joining us.
David DuFour: [00:18:45] Thanks for having me, David.
Dave Bittner: [00:18:49] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:18:57] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:19:15] And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:19:34] Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.